Bug#697434: pu: package gzip/1.3.12-9+deb6u0
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
I would like to upload a patched version of gzip to fix #627121
(grave; use of memcpy with overlapping memory regions).
This bug was fixed in gzip/1.4-1 by upstream changes; looking at the
upstream ChangeLog[1], only a single file (inflate.c) was affected[2].
I have attached the relevant source debdiff.
~Niels
[1] http://git.gag.com/?p=debian/gzip;a=blobdiff;f=ChangeLog;h=f1f25ab210301c783ce32d17c1457a7550d909f3;hp=6b61a98984c0a578fd0224f1f3b8b2c5ffe1e26a;hb=a2016c1de6e4884f6c8ed5cc498f3bf821c25ca4;hpb=c7e61475680fa226bd9b8bdd469cd66914e630f5
[2] The last chunck of:
http://git.gag.com/?p=debian/gzip;a=blobdiff;f=inflate.c;h=75353e2d72b50f0fb48d51a5ef6498d324dbf901;hp=b72c187ee38315c604b236357bee2d33f030f299;hb=a2016c1de6e4884f6c8ed5cc498f3bf821c25ca4;hpb=c7e61475680fa226bd9b8bdd469cd66914e630f5
diff -u gzip-1.3.12/inflate.c gzip-1.3.12/inflate.c
--- gzip-1.3.12/inflate.c
+++ gzip-1.3.12/inflate.c
@@ -595,7 +595,8 @@
do {
n -= (e = (e = WSIZE - ((d &= WSIZE-1) > w ? d : w)) > n ? n : e);
#if !defined(NOMEMCPY) && !defined(DEBUG)
- if (w - d >= e) /* (this test assumes unsigned comparison) */
+ unsigned int delta = w > d ? w - d : d - w;
+ if (delta >= e)
{
memcpy(slide + w, slide + d, e);
w += e;
diff -u gzip-1.3.12/debian/changelog gzip-1.3.12/debian/changelog
--- gzip-1.3.12/debian/changelog
+++ gzip-1.3.12/debian/changelog
@@ -1,3 +1,11 @@
+gzip (1.3.12-9+deb6u0) UNRELEASED; urgency=low
+
+ * Non-maintainer upload to stable.
+ * Backport upstream patch to avoid using memcpy on overlapping
+ memory regions. (Closes: #627121)
+
+ -- Niels Thykier <niels@thykier.net> Sat, 05 Jan 2013 11:31:24 +0100
+
gzip (1.3.12-9) unstable; urgency=high
* fix applied for CVE-2010-0001 which identified an integer underflow when
Reply to: